asUDP :  schmittMachine support schmittMachine Support Home
Questions related to the asUDP Xtra 
asUDP Xtra not autodownloadable
Posted by: antoine schmitt ()
Date: April 25, 2007 11:38PM

Note that I have not decided yet if I should make this Xtra autodownloadable : it is declared shockwave-safe, but I have not built the packages. The reason is that I am not sure that it is totally safe. Indeed, the shockwave-safe page at Adobe states that an Xtra should not give access to the local IP address of the computer. This is why I have disabled the getLocalIP function in shockwave.

But the very handy getBytesWithSenderInfo function gives access to the IP of the sender of a message. So by sending a message to myself, I automatically get access to my localIP...

I do not want to disable the getBytesWithSenderInfo function because it is necessary to reply to an UDP packet, and I don't see why I would disable it anyway, since a sender IP is not private information : all browsers know their requestor IPs.

I may be tired this evening, but I don't see any solution. Ideas welcome.

Cheers !

Options: ReplyQuote
Re: asUDP Xtra not autodownloadable
Posted by: nacho ()
Date: August 15, 2007 09:00PM

I would like to use asUDP Xtra in a shockwave website but I think it should be auto-downloadable to work properly. Being just "shockwave safe" is not enough because I can't ask every visitor to manually install the Xtra in their computers. I think it is acceptable that the user "accepts" the downloading by clicking some warning window.

Options: ReplyQuote
Re: asUDP Xtra not autodownloadable
Posted by: antoine schmitt ()
Date: August 15, 2007 09:26PM

Hi,
I am still blocked by this problem of confidentiality/security about the localIP, and haven't found a way around yet. If you have any idea, it is welcome...

Options: ReplyQuote
Re: asUDP Xtra not autodownloadable
Posted by: nacho ()
Date: August 16, 2007 07:14PM

Hi Antoine! Thank you for your prompt reply. How do you can obtain your own IP address sending a message to yourself? If you send a message to "localhost" you get 127.0.0.1. And I think that to send a message to your actual IP address you must already know your IP address. Am I missing something?

In the case there was a way to get your own IP address implying a security concern,
do you think it's posible to disable some functionality (similar to what you've done with function getLocalIP) in order to make it safe? I think you can forbid sending messages to oneself or replacing the IP field with some known value (like 0.0.0.0) when receiven a message from our IP address.

Thank you in advance.
nacho

Options: ReplyQuote
Re: asUDP Xtra not autodownloadable
Posted by: antoine schmitt ()
Date: August 17, 2007 11:57AM

Actually, when one sends to localHost or 127.0.0.1, one gets the real IP address (ex: 192.168.0.12) on the receiving side... But I agree that I could change the Xtra to hide this (if shockwave and hostIP = localhost IP, return the "localhost" string).

I'm still a bit scared to release this Xtra as a package. I would not like hackers to use this Xtra (that is signed with my name) for malicious purposes. I'll ask for advices on the mailing-lists... Stand by...

Options: ReplyQuote
Re: asUDP Xtra not autodownloadable
Posted by: nacho ()
Date: August 17, 2007 07:55PM

I tested the file UDPDemo.dir in the projector and inside Director MX 2004 and in both cases I see 127.0.0.1 when sending to localhost, as oposed to getting my address (ex: 192.168.0.5) when sending to my own IP address. I've attached a screenshot of my test: first I send to localhost and then to my host. I've used a Windows PC for the tests, perhaps the result is different in Mac.

Though I can't reproduce this issue in my computer, I understand your concern about the security and that your name is in the signature.

Thank you,
nacho

Attachments: send_to_localhost.png (54.3 KB)  
Options: ReplyQuote
Re: asUDP Xtra not autodownloadable
Posted by: antoine schmitt ()
Date: August 17, 2007 11:29PM

Yes, I was testing on Mac... Good to know that on Windows, I will not have to hide the sender.. ;-)

Well, I asked for advices about security on some lists, and am waiting for some returns. For now, it seems that putting up a yes/no alert when accessing a remote site is enough (added to the protection of the local IP). Let's wait a bit for more advices...

Thanks for your ideas and energy.

Just to know, what is your application that uses UDP in a browser ?

Options: ReplyQuote
Re: asUDP Xtra not autodownloadable
Posted by: nacho ()
Date: August 18, 2007 12:26AM

Hi! Thank you for your interest.
I'm doing some research on peer-to-peer web online gaming across NAT. The problem with NAT routers is that when two computers are behind different NATs they can't see one to each other, so nobody can initiate the connection.

Here is a very explanatory paper on different techniques to achieve the goal of getting across NAT: [www.brynosaurus.com]
As far as I know, the most successful of those techniques is called "UDP Hole Punching", which is based on UDP messages sent between the peers.

The subject is really exciting and it would be great if it can be made for web online gaming.

Options: ReplyQuote
Re: asUDP Xtra not autodownloadable
Posted by: nacho ()
Date: August 24, 2007 04:33PM

Here is some information about STUN protocol: [en.wikipedia.org]
It allows a host to determine which kind of NAT has and their public address. That is used while doing the Hole Punching to comunicate two host together.

Options: ReplyQuote


Sorry, only registered users may post in this forum.
This forum powered by Phorum.